Changing host_permissions array disables extension on update

[nem...@readcube.com]

We are updating our extension to the manifest v3 and we are having now new field in manifest host_permissions. In that array we are having list of all urls of the pages that our extension should support. We did it that way to avoid using "all_urls" permission which was advice for Google to avoid long review times.

Often, when we are updating an extension, we are adding support for some new page, so we need to add new url to host_permissions field. Previously on manifest v2, if I'm not mistaken, just adding new url to the permissions field was not causing extension disable on update. Now with manifest v3, every update of host_permissions array will disable extension for all the users with pretty scary warning (attached).

It doesn't make any sense to me. Should we just switch to "all_urls" instead and have extension disabled on just one update instead on every one? Does "all_urls" permission still cause increased review times even on manifest 3?

[Roberto Oneto]

Start reading this:  https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions

[nem...@readcube.com]

I did in a meantime. Basically it says that every change of `host_permissions` will trigger the warning, which doesn't make any sense to me. So declaring once "all_urls" is "more safe" for users from googles standpoint because it will trigger the warning only on one update.

My question about review time for extensions with "all_urls" permission still stands.

[Roberto Oneto]

You can also use  optional_host_permissions and request user permissions ar runtime.

Basically it says that every change of `host_permissions` will trigger the warning, which doesn't make any sense to me

It seems normal to you that an extension (which could also be your extension) has the ability to collect and transmit data to each endpoint (<all_urls>)? If an extension requires new permissions in the manifest, it is a good thing for a user to be notified about it.

[nem...@readcube.com]

It would make sense maybe if warning is something different then "It can now read and change all your data on all websites" which is simply not true. I have explicitly set websites that it needs permission for, and adding one more website to that list should not tell user that now I can access all websites.

[Roberto Oneto]

The warning message changes depending on what you had before and what you have now (with the new version) in the host_permissions section. If you show us this section in the two versions of your extension we will tell you whether the message (which you posted together with the first message) is correct or not.

[nem...@readcube.com]

Sure, here is the screenshot that shows diff between current store listing (manifest v2) and new one that we are trying to update. What is not seen from the screenshot is this long list of explicitly set urls that we are requiring host permissions for. In new version, that list has one new value: "*://*.getft.io/*". And for that change only, after update, users will get waring that says "It can now read and change all your data on all websites". When I remove that one new website url, no warning is shown on update and extension is remained in enabled state (all tested with update tool)

[Roberto Oneto]

At first sight it'd seem that a message like ""  "It can now read and change all your data on all websites" is unjustified.

Try to run this command in console: chrome.management.getPermissionWarningsByManifest(<your_manifest_as_string>, console.table)

Is it possible that you have a section: "content_scripts" where you declare a script that is injected on all URLs?

When I remove that one new website url, no warning is shown on update and extension is remained in enabled state (all tested with update tool)

It's normal behavior!  The user profile that has installed-updated your extension with those privileges keeps them unless the extension is reinstalled.

[nem...@readcube.com]

Thanks for helping. This is the result of that command:

(index)
Value
0 'Read and change all your data on all websites'

I have only one content script value, and it matches only one url explicitly:

  "content_scripts": [
    {
      "matches": ["https://www.rightfind.com/*"],
      "js": ["/iframeRightfind.js"],
      "all_frames": true,
      "match_about_blank": true
    }
  ],

[Roberto Oneto]

At this point I would no longer know what to suggest..
Maybe someone from the group who is reading ...
Try to relaunch the "getPermissionWarningsByManifest" command by removing "tabs" permission to see if something changes.

There are some  permissions  that trigger certain warnings when come in conjunction with others permissions.

[woxxom]

Judging by the source code, "all sites" permission warning is caused by a host that is a top-level domain, i.e. it can contain any amount of sites for different companies/entities e.g. "*://*.edu.au/*" in your manifest.json and others. You can find them by using a utility or a nodejs package that checks the public suffix list.

[nem...@readcube.com]

wow, thats a great catch, thanks! I will try to remove those and see what happens next.

[nem...@readcube.com]

thanks, that was the problem. I removed all top level domains and now warning message has more sense. see attached.

I have another question though. Which permission causes "Read your browsing history warning"? Because we are not doing anything with users browsing history.

Thanks again for big help

On Monday, July 15, 2024 at 4:02:39 PM UTC+2 woxxom wrote:

[nem...@readcube.com]

attachment with warning

[woxxom]

See https://developer.chrome.com/docs/extensions/mv3/permission_warnings, it's from tabs and webNavigation.

As I regularly argue this warning is extremely poorly worded, which regularly deceives users into thinking the extension wants to exfiltrate their previously visited sites, because "read" + "history" can only mean exactly that and not the nonsensical "history from the point of installation onward" currently implied in chromium. Firefox says "Access browser activity during navigation", which isn't precise either, but at least it's not misleading.

[nem...@readcube.com]

thanks, I agree with you. such a lazy job from chrome on permissions part :/

[حسين جلي‎]

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/b4161ec4-ab3b-4569-a10d-66e88effebf4n%40chromium.org.